zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Kelly <iv...@apache.org>
Subject Re: QOP SASL property
Date Fri, 09 Oct 2015 14:30:01 GMT
IMO, adding QOP to 3.4 would be a fairly large and invasive change, which
is something which shouldn't be done on the stable branch.

-Ivan

On Fri, Oct 9, 2015 at 4:02 PM Flavio Junqueira <fpj@apache.org> wrote:

> Not in the 3.4 branch, which is the latest stable branch at the moment.
>
> -Flavio
>
> > On 09 Oct 2015, at 15:00, Ivan Kelly <ivank@apache.org> wrote:
> >
> > Is auth-int necessary if we have SSL on the client (as there is in
> trunk)?
> > My understanding is that all comms would have to be wrapped by sasl if
> you
> > have QOP enabled.
> >
> > -Ivan
> >
> > On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <fpj@apache.org> wrote:
> >
> >> Hi Chris,
> >>
> >> Yeah, I was thinking along the same lines, so sounds like a plan. I know
> >> Raul is going to hate me for this, but I'd really like to have this in
> >> 3.4.7. It sounds like a simple enough change that we can have in
> shortly,
> >> does it sound right?
> >>
> >> Please go ahead with the jira if you have time, and if you don't have
> time
> >> to work on the patch, just assign it to me.
> >>
> >> -Flavio
> >>
> >>
> >>> On 08 Oct 2015, at 23:16, Chris Nauroth <cnauroth@hortonworks.com>
> >> wrote:
> >>>
> >>> Hi Flavio,
> >>>
> >>> It appears that the current code doesn't give us any way to control the
> >>> QOP, so it must be always using the default QOP of "auth"
> (authentication
> >>> only).  This is because the calls to Sasl#createSaslClient and
> >>> Sasl#createSaslServer pass a hard-coded null for the properties map.
> >>>
> >>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>> keeper/client/ZooKeeperSaslClient.java#L240
> >>>
> >>>
> >>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>> keeper/client/ZooKeeperSaslClient.java#L288
> >>>
> >>>
> >>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>> keeper/server/ZooKeeperSaslServer.java#L118
> >>>
> >>>
> >>>
> >>
> https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo
> >>> keeper/server/ZooKeeperSaslServer.java#L144
> >>>
> >>>
> >>> If we want to support setting QOP to "auth-int" (authentication +
> >>> integrity/man-in-the-middle tampering protection) or "auth-conf"
> >>> (authentication + integrity + confidentiality/encryption), then I think
> >>> we'll need to make code changes to read a new QOP configuration
> property,
> >>> put it into a Map using Sasl#QOP as the key, and then pass it along to
> >> the
> >>> Sasl#createSaslClient and Sasl#createSaslServer calls.
> >>>
> >>> Is this what you need?  If so, then I'd be happy to write up the
> proposal
> >>> in a new JIRA.  I didn't find any existing open JIRAs that look
> relevant.
> >>>
> >>> --Chris Nauroth
> >>>
> >>>
> >>>
> >>>
> >>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <fpj@apache.org> wrote:
> >>>
> >>>> Has anyone tried to use the QOP (Quality of Protection) property for
> >> SASL
> >>>> when running ZooKeeper?
> >>>>
> >>>> -Flavio
> >>>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message